I have some questions want to know about nitro HOT 8 CLOSED

Hi and thanks for your interest for KVM-VMI.

A nitro event in the code means a system call event, yes.
More specifically it can be an event just before the system call enter into the kernel, which is when the syscall instruction is executed, or right before it goes back to userland (sysret).

We support for now only Intel and AMD fast system call instructions:

• syscall/sysret
• sysenter/sysexit

All syscalls following this convention are intercepted. Besides, since Windows XP, Windows does not use software interrupts anymore.

Otherwise, software interrupts like int 0x80 or int 0x2E are not supported, but they could be.
Your contribution is welcomed.

If you have other questions or a specific use case that you can detail, i would be happy to guide you through the code and installation.

from nitro.

My previous job was at KVM, I use libvmi. But I find that the events does not support KVM, then I choose Xen. However it's just a start, not very long. So I am hesitant. I want to do something on ubuntu first.
You say window does not use software interrupts. How about ubuntu? I want to know more informations about this. Do you know where I can get this info?
I think your project can work well on windows, for the open source ubuntu maybe easier.

from nitro.

Ubuntu is also using fast system call, since a long time now.

There is already someone working on supporting Nitro for Linux (extracting the syscalls from memory, associating them with their name, finding the right task_struct, etc...)

Yes, libvmi lack support for KVM, but i'm working on it (having a good driver, a memory access patch for QEMU, and how to get some VMI events from KVM).

You said that your previous job was at KVM, should i conclude that you were one of the KVM maintainers before ?
If so you could guide us through the code and help us find the best solution for Nitro and VMI in general.

I'd recommand you to test Nitro on Windows and play with the hooking API before trying to code something for Linux.
As i said, someone will soon make a pull request to add Linux support to Nitro.

Could you explain what use case you have in mind ?
Maybe i can better understand your concerns.

from nitro.

I am a green hand not a maintaioner for KVM. My previous job is only to get VM stat and ps information from host. It is too easy for you.
I want to get VM information such as stat, ps, task_struct, socket, files, event and so on to make VM anomaly detection. The informations which I collect are the features of the VM.
Now I recovery the task_struct and its point struct information. The event recovery is my next step.

from nitro.

Hi,

A new PR #13 has just been opened with some modifications to get a Linux backend support.
You should maybe take a look.

from nitro.

Sorry to reply you too late. I am busy recently. When I have time, I will see wheather I can use it or not. Thank you！

from nitro.

HI @Badangel .
Can i close this issue ?

from nitro.

OK. Thank you for your help.

from nitro.